{"id":85736,"date":"2018-02-07T19:29:42","date_gmt":"2018-02-07T13:59:42","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=85736"},"modified":"2018-02-08T11:35:01","modified_gmt":"2018-02-08T06:05:01","slug":"analysis-ms-office-document-exploiting-zero-day-flash-player-vulnerability-cve-2018-4878","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/analysis-ms-office-document-exploiting-zero-day-flash-player-vulnerability-cve-2018-4878\/","title":{"rendered":"An analysis of an MS office document exploiting a zero-day flash player vulnerability (CVE-2018-4878)"},"content":{"rendered":"<p><strong>Important update!<\/strong><br \/>\nAdobe Systems released a <a href=\"https:\/\/helpx.adobe.com\/security\/products\/flash-player\/apsb18-03.html\" target=\"_blank\" rel=\"noopener\">critical security update<\/a> on 6.02.2017 to fix the vulnerability discussed in this post. We recommend you to apply the update immediately.<\/p>\n<p><strong>Summary of the vulnerability<\/strong><\/p>\n<p>CVE-2018-4878 is a use-after-free vulnerability present in Adobe Flash Player 28.0.0.137 and its earlier versions are being exploited in the wild. A successful exploitation of this vulnerability could allow attackers to take control of the affected system. Attackers use a MS Office document which is distributed via a crafted email attachment (content embedded malformed Flash ActiveX object) to exploit this vulnerability.<\/p>\n<p>Quick Heal had earlier published an <a href=\"https:\/\/blogs.quickheal.com\/cve-2018-4878-adobe-flash-player-use-free-zero-day-vulnerability-alert\/\" target=\"_blank\" rel=\"noopener\">advisory<\/a> on this vulnerability.<\/p>\n<p><strong>Quick Heal analysis<\/strong><\/p>\n<p>Quick Heal Security Labs came across a malicious Excel document that uses this zero-day vulnerability.<\/p>\n<p>The following is an analysis of the exploit sample.<\/p>\n<p><strong>Components of the XLS<\/strong><strong>X document<\/strong><\/p>\n<figure id=\"attachment_85740\" aria-describedby=\"caption-attachment-85740\" style=\"width: 601px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-85740\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/02\/a-zero-day-flash-player.png\" alt=\"\" width=\"601\" height=\"434\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/02\/a-zero-day-flash-player.png 601w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/02\/a-zero-day-flash-player-300x217.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/02\/a-zero-day-flash-player-540x390.png 540w\" sizes=\"(max-width: 601px) 100vw, 601px\" \/><figcaption id=\"caption-attachment-85740\" class=\"wp-caption-text\">Figure 1<\/figcaption><\/figure>\n<p><strong>Figure 2 displays the content of the decoy document (in Korean).<\/strong><\/p>\n<figure id=\"attachment_85741\" aria-describedby=\"caption-attachment-85741\" style=\"width: 643px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-85741\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/02\/a-zero-day-flash-player1.png\" alt=\"\" width=\"643\" height=\"509\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/02\/a-zero-day-flash-player1.png 643w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/02\/a-zero-day-flash-player1-300x237.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/02\/a-zero-day-flash-player1-493x390.png 493w\" sizes=\"(max-width: 643px) 100vw, 643px\" \/><figcaption id=\"caption-attachment-85741\" class=\"wp-caption-text\">Figure 2<\/figcaption><\/figure>\n<p>As shown in figure 2, the content of the decoy document is related to \u2018cosmetic products\u2019 along with their price.<\/p>\n<p>As shown in figure 1, the malicious document contains an embedded Flash Player File (SWF) which in turn contains another encrypted SWF file, highlighted in figure 3 below.<\/p>\n<figure id=\"attachment_85742\" aria-describedby=\"caption-attachment-85742\" style=\"width: 770px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-85742\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/02\/a-zero-day-flash-player2.png\" alt=\"\" width=\"770\" height=\"433\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/02\/a-zero-day-flash-player2.png 770w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/02\/a-zero-day-flash-player2-300x169.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/02\/a-zero-day-flash-player2-768x432.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/02\/a-zero-day-flash-player2-650x366.png 650w\" sizes=\"(max-width: 770px) 100vw, 770px\" \/><figcaption id=\"caption-attachment-85742\" class=\"wp-caption-text\">Figure 3<\/figcaption><\/figure>\n<p>The following ActionScript snippet is used to decrypt the embedded SWF file.<\/p>\n<figure id=\"attachment_85737\" aria-describedby=\"caption-attachment-85737\" style=\"width: 730px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-85737\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/02\/a-zero-day-flash-player3.png\" alt=\"\" width=\"730\" height=\"148\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/02\/a-zero-day-flash-player3.png 730w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/02\/a-zero-day-flash-player3-300x61.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/02\/a-zero-day-flash-player3-650x132.png 650w\" sizes=\"(max-width: 730px) 100vw, 730px\" \/><figcaption id=\"caption-attachment-85737\" class=\"wp-caption-text\">Figure 4<\/figcaption><\/figure>\n<p>Upon opening the document, EXCEL.EXE loads a vulnerable version of Flash Player ActiveX (Flash32_XX_X_X_XXX.ocx) which is used to execute the embedded SWF file.<\/p>\n<figure id=\"attachment_85738\" aria-describedby=\"caption-attachment-85738\" style=\"width: 846px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-85738\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/02\/a-zero-day-flash-player4.png\" alt=\"\" width=\"846\" height=\"161\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/02\/a-zero-day-flash-player4.png 846w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/02\/a-zero-day-flash-player4-300x57.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/02\/a-zero-day-flash-player4-768x146.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/02\/a-zero-day-flash-player4-650x124.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/02\/a-zero-day-flash-player4-789x150.png 789w\" sizes=\"(max-width: 846px) 100vw, 846px\" \/><figcaption id=\"caption-attachment-85738\" class=\"wp-caption-text\">Figure 5<\/figcaption><\/figure>\n<p>Unfortunately, at the time of our analysis, the C&amp;C server did not respond and the attack could not proceed further for us to analyze it.<\/p>\n<p>Details of the HTTP request sent by the exploit.<\/p>\n<figure id=\"attachment_85739\" aria-describedby=\"caption-attachment-85739\" style=\"width: 705px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-85739\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/02\/a-zero-day-flash-player5.png\" alt=\"\" width=\"705\" height=\"187\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/02\/a-zero-day-flash-player5.png 705w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/02\/a-zero-day-flash-player5-300x80.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/02\/a-zero-day-flash-player5-650x172.png 650w\" sizes=\"(max-width: 705px) 100vw, 705px\" \/><figcaption id=\"caption-attachment-85739\" class=\"wp-caption-text\">Figure 6<\/figcaption><\/figure>\n<p><strong>Definitions of the highlighted sections in figure 6.<\/strong><\/p>\n<p><strong>ID:<\/strong> Unique Identifier<\/p>\n<p><strong>FP_VS:<\/strong> Flash Player version installed on the victim system<\/p>\n<p><strong>OS_VS: <\/strong>installed on the Operating System version of victim system<\/p>\n<p><strong>Indicators of compromise<\/strong><\/p>\n<ol>\n<li>5F97C5EA28C0401ABC093069A50AA1F8<\/li>\n<li>www[.]dylboiler[.]co[.]kr<\/li>\n<\/ol>\n<p><strong>What to do?<\/strong><\/p>\n<ol>\n<li>Update your Flash Player. Adobe has released the <a href=\"https:\/\/helpx.adobe.com\/security\/products\/flash-player\/apsb18-03.html\" target=\"_blank\" rel=\"noopener\">security update<\/a> to fix the discussed vulnerability<\/li>\n<li>Update your antivirus<\/li>\n<li>Enable Protected Mode for MS Office applications<\/li>\n<li>Until you apply the fix, block Flash Player ActiveX for MS Office applications temporarily. <a href=\"https:\/\/blogs.technet.microsoft.com\/office_sustained_engineering\/2011\/03\/17\/blocking-activex-controls-from-loading-in-microsoft-office\/\" target=\"_blank\" rel=\"noopener\">Click here<\/a> to know how to do this<\/li>\n<\/ol>\n<p><strong>Conclusion<\/strong><br \/>\nThe attacker has encrypted a Flash object to make the analysis complex and difficult. The exploit retrieves the decryption key from the C&amp;C Server which is currently inactive.<\/p>\n<p>We are actively looking for other variants of this exploit for a detailed analysis.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Subject Matter Experts<\/strong><\/p>\n<p>Nitten Dhamanay, Siraj Attar | Quick Heal Security Labs<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Important update! Adobe Systems released a critical security update on 6.02.2017 to fix the vulnerability discussed in this post. We recommend you to apply the update immediately. Summary of the vulnerability CVE-2018-4878 is a use-after-free vulnerability present in Adobe Flash Player 28.0.0.137 and its earlier versions are being exploited in the wild. A successful exploitation [&hellip;]<\/p>\n","protected":false},"author":29,"featured_media":85743,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[70,1395],"tags":[1576,1224,718],"class_list":["post-85736","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-adobe","category-vulnerability","tag-cve-2018-4878","tag-flash-player","tag-zero-day"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/85736"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/29"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=85736"}],"version-history":[{"count":4,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/85736\/revisions"}],"predecessor-version":[{"id":85753,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/85736\/revisions\/85753"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/85743"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=85736"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=85736"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=85736"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}